The article examines the features of modern polymorphic malware and its impact on the functioning of computer systems. Existing approaches and methods of its detection and analysis are considered, such as: string search algorithm, intelligent data analysis, sandbox analysis, machine learning, structural feature engineering. Their advantages and disadvantages are determined. The necessity of using a new approach, namely the detection of malicious software using probabilistic logical networks, is argued. Its advantages and development prospects are determined. In the study, a comprehensive approach consisting of 3 stages is proposed for the detection of polymorphic malware. The first one uses string search algorithms. The second is a complex of methods, including intelligent data analysis, sandbox analysis, machine learning, and structural feature engineering. In the third step, the use of probabilistic logical networks is proposed, which will allow establishing the probability that the software belongs to polymorphic malware. The use of the proposed integrated approach will also allow to determine the necessary methods for neutralization of detected malicious software. This approach will maximize the probability of detecting polymorphic malware.
The search for and elimination of computer viruses is becoming an increasingly urgent and complex problem every year. After all, they pose a threat to the smooth functioning of computer systems that are used in increasingly critical areas of human activity. Therefore, the development of methods and means of neutralizing malicious software is one of the promising and priority research tasks in the field of computer science. Despite the continuous improvement of anti-virus software, the generation and distribution of malicious software increases year by year. One of the most serious problems faced by the developers of antivirus software is the automatic mutation of the code of the malicious program. The mechanism of mutation and permutation of malicious program code is called polymorphism. Polymorphic malware cannot be identified by signature analysis. Therefore, for this purpose, it is necessary to use new, improved methods of analysis of modern malicious soft.
Among the scientists who studied the issue of detection and analysis of malicious software,
the following can be distinguished: O. Savenko [
Among the latest methods of analysis of modern malware [
Polymorphic malware is a type of virus that can change its code while retaining its core
functionality. These viruses usually have a mutation mechanism based on code obfuscation,
packaging, and metamorphism techniques that can encrypt or decrypt the virus code, each time
creating a unique program code [
In addition, the virus may use an unzip program that only runs when the file is opened,
making it more difficult to detect. Finally, polymorphic malware often uses anti-analysis
techniques to thwart reverse engineering attempts. This may include methods such as code
obfuscation, procedures to prevent reverse engineering, and others [
Detection of polymorphic malware requires the use of a combination of static and dynamic
analysis methods [
The malware detection method is an effective method used in cyber security to detect
potential malware in a system [
One of the most common tools for finding strings is the strings command on Unix-based systems. This command scans the file and outputs any sequences of printed characters, which often indicate human-readable lines of code in a program.
In the context of malware detection, these lines can provide valuable information about the potential behavior of a suspicious file. For example, they can detect suspicious API calls, file paths, URLs, or registry keys that are often associated with malicious activity.
However, string searching is not a reliable method. Advanced malware writers often use obfuscation techniques to hide their strings, or they may avoid using suspicious strings altogether. In addition, legitimate programs may also contain suspicious-looking strings by accident.
Therefore, while string searches can be a useful first step in malware analysis, it is important to confirm the results using other methods. This can include dynamic analysis (observing the program's behavior at runtime), static analysis (examining the program's code without running it), or heuristic analysis (comparing the program's behavior or code patterns with known malware signatures).
As such, the method of searching for malware strings is a valuable tool in the cybersecurity analyst's arsenal, but it should be used as part of a broader, comprehensive approach to malware detection and analysis.
One of the most promising ways to detect malware is the use of data analysis methods.
These techniques involve analyzing large data sets to identify patterns, associations, or
anomalies that may indicate malicious activity [
The first step in the data mining discovery method is data collection. This involves collecting a wide range of data, such as network traffic logs, tracking system calls and user actions. Data can be collected from a single machine or a network of computers for broader analysis.
Once data is collected, it is often pre-processed to convert it into a suitable format for data analysis. For example, raw data may need to be converted to a numeric format or filtered out for irrelevant data.
Then, the pre-processed data is subjected to data mining algorithms. There are several types of data mining techniques that can be used, including classification, clustering, regression, and anomaly detection. These techniques can help identify patterns or anomalies that may indicate the presence of malware.
Finally, the results can be presented in a format that is easily interpreted by computer security analysts, such as a visual dashboard or notification system.
Classification, for example, involves training a model to recognize the characteristics of known malware and then using that model to classify new data as safe or malicious. Clustering, on the other hand, groups similar data together, which can help identify patterns in the data that may indicate an attack.
After the data mining process, the results are often post-processed to remove any false positives or negatives. This may include cross-checking the results with other detection methods or manually checking for malware detection.
It's worth noting that while data mining can be a powerful tool for malware detection, it's not foolproof. Sometimes it can give false positives or give a negative response. Therefore, it cannot detect all types of malware. However, when combined with other detection methods, data mining can significantly improve a system's ability to detect and respond to malware threats.
Malware sandbox analysis is a technique used by cybersecurity professionals to analyze and understand the behavior of malware in a controlled environment [17, 18]. It involves running malware in a virtual or isolated environment, known as a sandbox, to observe its activities and gather valuable information.
The goal of malware analysis is to reveal the capabilities of the malware, identify potential threats, and develop effective countermeasures. By executing malware in a controlled environment, analysts can study its interactions with the operating system, network, and other software components.
During the analysis, various dynamic and static techniques are used. Dynamic analysis includes monitoring the malware's runtime behavior, such as file system modifications, network communication, and system calls. Static analysis, on the other hand, focuses on examining the code and structure of the malware without execution.
Information gathered from analyzing the behavior of a malicious program in an isolated software environment helps identify infection vectors, infrastructure and management practices, payload delivery mechanisms, and potential data theft methods. This knowledge is critical to developing effective detection methods, updating security controls, and mitigating the impact of malware attacks.
In summary, analysis in an isolated software environment is an important component of modern cybersecurity practices. It provides valuable information about the behavior and characteristics of malware, allowing cybersecurity organizations to improve their defense mechanisms and develop forward-looking methods to counter new threats.
Traditional malware detection methods often struggle to keep up with the rapidly evolving malware attack landscape. Machine learning techniques have become a powerful tool to improve malware detection and combat these threats.
Machine learning algorithms can analyze large amounts of data and extract patterns and features that can be used to detect malicious behavior [19, 20, 21]. By training models on known malware samples and legitimate software, machine learning algorithms can learn to distinguish between them and accurately classify new and unknown files.
One of the key benefits of using machine learning to detect malware is its ability to adapt and learn from new threats. As new types of malware emerge, machine learning models can be updated and retrained to effectively detect these new threats.
There are several approaches to malware detection using machine learning, including static analysis and dynamic analysis. Static analysis involves examining the code and structure of a file without executing it, while dynamic analysis involves running the file in a controlled environment to observe its behavior. Both approaches can provide valuable information for malware detection.
Cesare and Xiang proposed a polymorphic malware classification method called Malwise (Figure 4), which uses program-level emulation to unpack the malware code [22].
However, it is important to note that detecting malware using machine learning is not without challenges. Adversarial attacks, where attackers manipulate malware to avoid detection, can pose a significant problem. In addition, the large volume of data and the need to constantly update and retrain models require significant computing resources.
In summary, machine learning offers promising solutions for malware detection by leveraging its ability to analyze vast amounts of data and identify patterns. By constantly improving and updating models, machine learning can improve the security of computer systems and networks against new malware threats.
Structural feature engineering is a key aspect of the development of effective malware detection models [23-25].
By extracting meaningful features from structured data, data analysts and researchers can improve the accuracy and reliability of their malware detection systems.
The following steps describe a structural feature development method specifically designed for malware detection: 1. Understanding data: Gaining a complete understanding of the structure and characteristics of malware data. Identifying relevant variables, their types, and any patterns or relationships present in the dataset. 2. Feature Identification: Identifying features that may be informative for malware detection. This can be achieved through domain knowledge, exploratory data analysis, or statistical techniques specifically designed for malware detection. 3. Feature Extraction: Extracting selected features from raw malware data and converting them into a suitable format for analysis. Application of mathematical transformations, scaling, normalization or encoding methods for preprocessing functions. 4. Feature building: Creating new features by combining or modifying existing features in a way that captures important aspects of malware behavior. This may include aggregations, mathematical operations, or interactions between variables. 5. Feature Selection: Selecting the most relevant features that significantly contribute to malware detection. This helps to reduce the dimensionality and improve the efficiency and accuracy of the detection model. 6. Coding of features: coding of categorical features into numerical representations that can be processed by machine learning algorithms. Use techniques such as single coding, label coding, or target coding to effectively represent categorical variables. 7. Scaling functions: Scale functions to a common range to ensure that they have comparable magnitudes. Standardization, normalization methods can be used for this. 8. Feature Validation: Validate the developed features by evaluating their performance in a malware detection model. Using methods such as cross-validation and model evaluation metrics to measure the performance of the developed features and iteratively improve them as needed.
By following this method of developing structural features, analysts and data scientists can improve the accuracy and reliability of their malware detection systems, leading to improved cybersecurity and anti-malware measures.
• • • • • • •
The disadvantages of the considered methods require new approaches to the detection and analysis of malicious software. Among them is the detection of malware using probabilistic logic networks (PLN).
Malware detection is a critical aspect of cyber security. PLN [26-28] offer a powerful approach to detect and mitigate malware threats. PLNs combine probabilistic reasoning with logical inference to model complex relationships and dependencies in malware detection.
PLN is a hybrid framework that combines probabilistic graphical models with first-order logic. They provide a flexible and expressive representation for capturing uncertainty and reasoning about complex domains. PLNs utilize the strengths of both probabilistic reasoning and logical inference, making them suitable for malware detection.
One of the key advantages of PLNs in malware detection is their ability to handle uncertain and incomplete information. By assigning probabilities to different hypotheses, PLNs can estimate the probability of the presence of malware and make informed decisions. This probabilistic reasoning allows for more accurate and adaptive detection mechanisms.
PLNs excel at capturing complex malware behaviors and patterns. They can represent both static and dynamic characteristics of malware, including code structure, system interactions, and propagation mechanisms. By modeling this behavior, PLNs can effectively distinguish between legitimate and malicious software.
To train PLN to detect malware, a large dataset of known malware samples and benign software is required. Machine learning methods can be used to study PLN parameters and structure from these data. By iteratively refining the PLN with training examples, it can be tuned to accurately detect and classify PWDs.
Advantages of PLN for malware detection: flexibility: PLNs provide a flexible framework for modeling and justifying malware behavior, allowing for adaptation to new threats; processing uncertainty: the probabilistic nature of PLN allows processing uncertain and incomplete information, increasing the accuracy of malware detection; expressiveness: PLNs can capture complex relationships and dependencies found in malware, providing more comprehensive detection capabilities; training from data: PLN can be trained using machine learning techniques, allowing for continuous improvement based on new malware samples.
Challenges in PLN for malware detection: scalability: as the complexity of malware and the size of datasets increase, scaling PLN to handle large-scale detection becomes a challenge; knowledge development: creating a knowledge base and defining logical rules for detecting malicious software requires experience and knowledge in the field; computational complexity: performing inference and learning in PLN can be computationally demanding, requiring efficient algorithms and systems.
In the study for the detection of polymorphic malicious software, a complex approach (Figure 5) is proposed, which consists of 3 stages. The first one uses string search algorithms. The second is a complex of methods, including intelligent data analysis, sandbox analysis, machine learning, and structural feature engineering. In the third step, the use of PLN is proposed, which will allow establishing the probability of the software belonging to polymorphic malware. The use of the proposed integrated approach will also allow to determine the necessary methods for neutralization of detected malicious software.
Probabilistic logic networks String search algorithms
Intelligent data analysis Data collection
Data preprocessing
Algorithms of intelligent data analysis Visual dashboard or notification system
Post-processing of results
Sandbox analysis Static analysis
Dynamic analysis
Machine learning Static analysis
Dynamic analysis
Structural feature engineering Understanding data Removal of functions Selection of functions
Identification of functions Construction of functions
Coding of features Scaling functions
Function check Step 1
Step 2
Step 3
A series of experiments was conducted to determine the effectiveness of the proposed technique. Various types of polymorphic generators were used to obtain modified polymorphic versions of viruses taken from [29]. All polymorphic versions, the generators they created were compiled with anti-debugging and anti-emulation options. For the first experiment, 100 viruses were generated. To evaluate the effectiveness of the proposed method, the percentage of detected viruses was determined at each step of the comprehensive approach proposed in the study.
The results of the conducted experiment are shown in Table 1.
Thus, only 12% of viruses were detected in step 1, 61% in step 2, and 89% in step 3 using PLN. The effectiveness of the proposed method according to the conducted experiment is 28% due to the use of PLN. Also, of the 89% of viruses detected by PLN, 9% were assigned to the range of probability of belonging to malicious software at the level of 0-25% (low level), at the level of 25-75% (medium level) - 19%, at the level of 75- 100% - 72% (high level). The use of PLN allowed not only to increase the effectiveness of malware detection, but also to classify by the level of probability of belonging to malicious software.
The study proposes a comprehensive approach to the detection and analysis of polymorphic malware. This approach consists of three stages. The first one uses string search algorithms. The second is a complex of methods, including intelligent data analysis, sandbox analysis, machine learning and structural feature engineering. In the third step, the use of PLN is proposed, which will allow establishing the probability of the software belonging to polymorphic malware. The effectiveness of the proposed method according to the conducted experiment is 28% due to the use of PLN. The use of PLN allowed not only to increase the effectiveness of malware detection, but also to classify by the level of probability of belonging to malicious software. [16] R. Beg, R.K Pateriya, D. S. Tomar, ACMFNN: A Novel design of an augmented convolutional model for intelligent cross-domain malware localization via forensic neural networks, IEEE Access XX (2017). doi: 10.1109/ACCESS.2023.3305274 [17] Z. Balazs, Malware Analysis Sandbox TestingMethodology The Journal on Cybercrime &
Digital Investigations 1, 1 (2015). doi: 10.18464/cybin.v1i1.3 [18] B. Sun, A. Fujino, T. Mori, T. Ban, T. Takahashi, D. Inoue, Automatically Generating Malware Analysis Reports UsingSandbox Logs, IEICE transactions on information and systems E101–D, 11 (2018) 2622-2632. doi: 10.1587/transinf.2017ICP0011 [19] R. Chiwariro, L. Pullagura, Malware Detection and Classification Using Machine Learning Algorithms, International Journal for Research in Applied Science & Engineering Technology, IJRASET, 11 (2023) 1727-1738. doi: 10.22214/ijraset.2023.55255 [20] A. J. Kurian, A. Santhosh, M. Subin, Enhanced malware detection framework leveraging machine learning algorithms, International Research Journal of Modernization in Engineering Technology and Science 06(03) (2024) 3597-3603. [21] I. Obeidat, M. AlZubi, Developing a faster pattern matching algorithms for intrusion detection system. International Journal of Computing, 18(3), 2019, 278-284. doi:10.47839/ijc.18.3.1520 [22] S. Cesare, Y. Xiang, Classification of malware using structured control flow, in: Proceedings of the 8-th Australasian Symposium on Parallel and Distributed Computing, AusPDC 2010, Brisbane, Australia, 107, 2010, pp. 61-70. doi: 10.5555/1862294.1862301 [23] E. Masabo, K.S. Kaawaase, J. Sansa-Otim, D. Hanyurwimfura, Structural Feature Engineering approach for detecting polymorphic malware, in: Proceedings of the 15-th IEEE Intl Conf on Dependable, Autonomic and Secure Computing, 15-th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress, DASC/PiCom/DataCom/CyberSciTech, 2017, pp. 716-721. doi: 10.1109/DASC-PICom-DataCom-CyberSciTec.2017.125 [24] Y. T. Ling, · N. F. M. Sani, · M. T. Abdullah, · N. A. W. A. Hamid, Metamorphic malware detection using structural features andnonnegative matrix factorization with hidden markov model, Journal of Computer Virology and Hacking Techniques 18 (2022)183–203. doi: 10.1007/s11416021-00404-z [25] Y. T. Ling, N. F. M. Sani, M. T. Abdullah, N. A. W. A. Hamid, Structural Features with Nonnegative Matrix Factorization for Metamorphic Malware Detection, Computers & Security 104, 2 (2021) 102216. doi: 10.1016/j.cose.2021.102216 [26] M. Qu, J. Tang, Probabilistic Logic Neural Networks for Reasoning, in: Proceedings of the 33rd Conference on Neural Information Processing Systems, NeurIPS 2019, Vancouver, Canada, 2019. doi: 10.48550/arXiv.1906.08495 [27] K. M. M. Sadeghi, B. Goertzel, Uncertain Interval Algebra via fuzzy/probabilistic modeling, in: Proceedings of the 2014 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), Beijing, China, 2014. doi: 10.1109/FUZZ-IEEE.2014.6891863 [28] C. Harrigan, B. Goertzel, M. Ikle, A. Belayneh, G. Yu, Guiding Probabilistic Logical Inference with Nonlinear Dynamical Attention Allocation, Lecture Notes in Computer Science 8598 (2014) 238-241. [29] VX Heavens [online] URL: http://vxheaven.org/